Configure AWS Secrets Manager

With AWS Secrets Manager you can store your Redshift password in your own hosted AWS Secrets Manager, so ThoughtSpot can fetch it when needed. This eliminates the need for you to enter the password when you create a new Redshift connection.

Prerequisites

  • Hosted AWS Secrets Manager solution

  • ThoughtSpot cluster deployed on Amazon EC2 instance

  • AWS Secrets Manager feature enabled by contacting ThoughtSpot Support.

Configuring AWS Secrets Manager

Creating and storing the AWS KMS

  1. Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console.

  2. In the navigation pane, select Customer-managed keys, and then click Create key.

    Click create key
  3. To create a symmetric KMS key, for Key type choose Symmetric, and then click Next.

    Choose the Symmetric key type
  4. On the Add labels page, create an alias for the KMS key.

    Create an alias
  5. Select Next.

  6. Select the IAM users and roles that can administer the KMS key.

    Specify administrators for the key
  7. Select Next.

  8. Select the IAM users and roles that can use the KMS key for cryptographic operations.

  9. Select Next.

  10. Review the key settings that you chose. You can still go back and change all settings.

  11. Select Finish to create the KMS key.

Creating and storing the secret

  1. Sign in to the AWS Management Console.

  2. On the Secrets list page, select Store a new secret.

    Click Store a new secret
  3. On the Store a new secret page, select Other type of secrets. (This type allows you to store key value pairs or plain text.) You can then specify the secrets as key value pairs on this page.

    Select Other type of secrets
  4. For Select the encryption key, choose the AWS KMS key created in the Creating and storing the AWS KMS section.

  5. Select Next.

  6. Under Secret name, type a name for the secret. It can be only alphanumeric and can include these characters: /_+=.@-.

    Name the secret
  7. Select Next.

  8. Under Configure automatic rotation, select a type which enables AWS Secrets Manager to rotate the secret automatically.

    Select a type of automatic rotation
  9. Select Next.

  10. Review the final details, then select Store.

    This creates a secret.

Creating and storing the IAM Policy

  1. Sign in to the AWS Management Console and open the AWS IAM console.

  2. In the navigation column on the left, choose Policies.

    Choose policies in the left navigation column
  3. At the top of the page, select Create Policy.

    Click create policy
  4. Select the JSON tab. Enter the JSON policy using the following format.

    Example:

    {
      "Version": "2012-10-17",
      "Statement": [
    	{
      	"Effect": "Allow",
      	"Action": [
        	"secretsmanager:GetResourcePolicy",
        	"secretsmanager:GetSecretValue",
        	"secretsmanager:DescribeSecret",
        	"secretsmanager:ListSecretVersionIds"
      	],
      	"Resource": [
      "arn:aws:secretsmanager:us-west-2:111122223333:secret:aes128-1a2b3c"
      	]
    	},
    	{
      	"Effect": "Allow",
      	"Action": "secretsmanager:ListSecrets",
      	"Resource": "*"
    	},
        	{
            	"Sid": "AllowKMS",
            	"Effect": "Allow",
            	"Action": [
                	"kms:Decrypt",
                	"kms:DescribeKey"
            	],
            	"Resource": [
                "arn:aws:kms:us-west-2:111122223333:key/mrk-5e2384a66c563d33b9a595de4702536"
            	]
        	}
      ]
    }
    The resource should have a Secret ARN for which the policy is defined, and the KMS used for it.
  5. Click Next: Tags, and then Next: Review.

  6. On the Review policy page, enter a Name and an optional Description for the policy that you are creating. Review the policy summary to see the permissions that are granted by your policy. Then select Create policy to save.

    Add a name for the policy and click Create policy

Creating and storing the IAM Role

  1. Sign in to the AWS Management Console and open the AWS IAM console.

  2. In the navigation column on the left, select Roles, and then click Create role.

    Click Roles and then Create role
  3. Choose the AWS service role type, and then choose the service that you want to allow to assume this role. For AWS secret manager choose EC2, then select Next: Permissions.

    Add service role specification
  4. Select the policy created in the Creating and storing the IAM policy section, and the click Next: Tags.

    Select the policy you created earlier
  5. Select Next: Review.

  6. Enter a Name and an optional Description for the role that you are creating.

    Enter a name for the role
  7. Review the role and then select Create role.

Attach an IAM role to an instance

  1. Open the Amazon EC2 console.

  2. In the navigation pane, select the instance, choose Actions  Security  Modify IAM role.

    Select Actions > Security > Modify IAM role
  3. Select the IAM role to attach to your instance, and then click Save.

Access secrets across AWS accounts

This section details the configuration required to access secrets across AWS accounts.

In the following example, there are two different AWS accounts. The first is a PRODUCTION account (the account where you run applications) and the other is a CENTRAL_SECURITY account (the account where you manage secrets). In your configuration you would use your specific account, key, secret, and role names.

  1. On the CENTRAL_SECURITY account:

    1. Create an AWS key as described in the Creating and storing the AWS KMS section.

    2. Create an AWS secret as mentioned in the Creating and storing the secret section.

    3. Create an IAM role with a policy which allows permissions for secrets and a KMS decryption used for the secrets as described in the Creating and storing the IAM Policy and the Creating and storing the IAM Role sections.

    4. Also under the trust relationships in IAM role, add the PRODUCTION account IAM role details to assume it.

      Example:

      {
        "Version": "2012-10-17",
        "Statement": [
      	{
        	"Effect": "Allow",
        	"Principal": {
          	"Service": "ec2.amazonaws.com"
        	},
        	"Action": "sts:AssumeRole"
      	},
      	{
        	"Sid": "VisualEditor3",
        	"Effect": "Allow",
        	"Principal": {
          	"AWS": "arn:aws:iam::982380164364:role/production_role"
        	},
        	"Action": "sts:AssumeRole"
      	}
        ]
      }
  2. On the PRODUCTION account, create an IAM role with a policy which assumes the CENTRAL_SECURITY account IAM role where secrets are defined.

    Example:

    {
    	"Version": "2012-10-17",
    	"Statement": [
        	{
            	"Sid": "VisualEditor0",
            	"Effect": "Allow",
            	"Action": "sts:AssumeRole",
            	"Resource": [
                	"arn:aws:iam::111122223333:role/central_security_role"
            	]
        	}
    	]
    }
  3. Attach the PRODUCTION account IAM role to EC2 instance, by following the steps in Attach an IAM role to an instance.


Related information